Home » The OWASP Top 10 has a new look for 2021

Publication date: September 22, 2021

The OWASP Top 10 has a new look for 2021

The new OWASP Top 10 takes into account both historical blueprints and new intelligence.

Share this content

Written by Angela Polania

Angela Polania, CPA, CISM, CISA, CRISC, HITRUST, CMMC RP. Angela is the Managing Principal at Elevate and board member, and treasurer at the CIO Council of South Florida.

Since the Open Security Summit in 2017, the OWASP Top 10 has provided an established data-collection process. In 2021, the OWASP 10 has a new look. After several months of analyzing Common Weakness Enumeration (“CWE”) datasets in conjunction with re-categorizing software weaknesses and vulnerabilities, the updated roll-out is presenting a refurbished design and a more data-driven approach. The new Top 10 takes into account both historical blueprints and new intelligence on how to identify possible vulnerabilities. Specifically, the 2021 list considered both validated historical data from 2017 as well as solicited survey feedback from industry leaders that are noticing new threat trends and current challenges that are not covered by the current framework.  

2021 Change in Approach

Historically, data collection efforts by OWASP were limited to a subset of 30 CWEs.  The 2021 iteration had no restrictions on CWEs and merely asked for data (e.g. number of applications tested for any given year, applications with at least one CWE, etc.).  The unrestricted approach allowed OWASP to track how prevalent each CWE is within any given population of applications.  As result, the analysis expanded from 30 to over 400 CWEs.  Over several months of grouping and categorizing each CWE, OWASP decided to focus more on the root cause weaknesses (e.g. Cryptographic Failure as oppose to Sensitive Data Exposure).  

Supporting data for the newest adaptation has been derived from various sources: HaT (Human-Assisted Tooling), TaH (Tool-assisted Human), and raw tooling. All three processes were utilized to identify weaknesses and vulnerabilities. The results included incidence rates for each CWE category, identifying eight for inclusion from the top of that result list and relying on input from an industry audit to provide the final two categories to form the Top 10. 

For a more complete explanation of how OWASP derived the top 10 2021 list, we encourage you to read OWASP Top 10:2021 (DRAFT FOR PEER REVIEW)

We summarized the changes between the 2017 and 2021 top 10 lists as shown in the table below. 

OWASP top 10
Table 1 – Changes between the 2017 and 2021 top 10 lists.

Related posts

Contact Elevate today to learn more about Cyber Security | Elevate Insights

Elevate // +1 (888) 601-5351 // Monday to Friday 9am-6pm